✅D31eg4t3
Idea
The challenge contract does delegatecall on address(msg.sender)
, which is user-controlled:
function hackMe(bytes calldata bites) public returns(bool, bytes memory) {
(bool r, bytes memory msge) = address(msg.sender).delegatecall(bites);
return (r, msge);
}
The other function uses the onlyOwner
modifier:
function hacked() public onlyOwner{
canYouHackMe[msg.sender] = true;
}
However, there is no way to bypass this thing:
modifier onlyOwner {
require(false, "Not a Owner");
_;
}
But we can modify storage slots directly via the delegatecall. Recall that delegatecall is like calling a library function, the state changes are made in the caller's context instead of callee's.
PoC
Last updated